So anyway, here you go. Here's your speaker. And Joy.
Good morning.
Thank you all very much for coming out for what I understand is an early DEF CON morning.
I would very much like to show you my slides, but as we can see,
there might be a little bit of a technical glitch.
And I would really honestly love to get started, but it's kind of crucial to have the slides.
So I thought maybe we could try the reverse and do a bit of Q&A.
How many people are into radio?
All right, cool.
How many people have...
Who knows what a software-defined radio is?
And how many people have actually played around with one?
And how many people own one?
And how many people have a USRP?
How many people have a Realtek TV dongle?
Cool.
And who knows GNU Radio?
Excellent.
That's very encouraging.
Applause already.
What?
.
If I...
If you...
Pardon me.
Debugging across the room.
Do you know whether you are actually receiving the signal from my laptop?
Yeah.
It's a different...
Yeah, you're sending it out.
You're fine.
It's not you.
It's not you.
Would it be possible to temporarily connect one projector or something?
It's actually the multiplexer back there.
All right.
Yeah.
It's not you.
Keep on going.
By the way, the Q&A, time's passed.
We used to have a Q&A where we'd get together and we'd go to a room to a Q&A.
There's one big massive Q&A room back there.
And if this gentleman over here wants to take beers and shots and whatever,
to talk to him at the bar, that's a good Q&A area.
So this year the Q&A is pretty much going to be handled out in the hallway
or wherever else that you all deem necessary.
So at the end of the talk, we'll have to...
Stop him, actually.
Yeah.
So...
I'm okay with that.
So let me get this guy up and running.
All right.
Just go ahead.
Keep on going.
Yeah.
Well, I guess I should also add that my name is Bylan Sieber.
As you might gather, I'm not originally from around these parts.
I moved to the States about the middle of last year.
I had been sort of mucking around with Software Defined Radio in my own time.
I had been working on a PhD, but unfortunately for that,
through a friend, I discovered what Software Defined Radio was about
and I just let the PhD slide in.
And I'd like to show you some of the things I did during that time.
Since then...
Since then, I actually joined Edis Research.
So I'm an applications engineer there.
And I guess one little bonus is that I get to play around with some cool new toys,
one of which I'd like to sort of show you today.
Do you want to check the...
Yeah.
No, that's the right way.
Yeah.
Change it down to 1040x40.
That's...
Okay.
1040x60.
You're right.
I mean, I have another laptop.
Do you want me to try...
Do you want me to show you that one?
You can.
It won't hurt, but...
That's right.
That's the right thing.
Okay.
Any more questions?
What's your drink of choice?
What's my...
Drink of choice.
I'm actually not much of a drinker, you know?
You will be after this.
I was thinking that might be the case.
I guess, I don't know, do any of you recognise this or anything like it?
It's a fast track tag that you normally affix to your car.
It gets scanned when you go through the toll booths.
This is a nice antenna that you can actually read these with.
And I figured...
I can't quite remember how I came across it, but I came across some...
I don't know if you see...
There was a Black Hat talk in 2008 that actually dealt with opening these up
and reversing, decompiling the firmware.
That was really nice, and that was quite a common vector
where you go into the chip and extract the software.
But I figured that I would try and implement the radio side of it.
And so I just did it over two nights last week.
But very simply, it will read the ID, as it's not an encrypted protocol,
out of one of these tags.
You just hold it up there and it will read it out.
I would have some nice images to demonstrate that a little later on.
But I guess I can sort of hand wave in the meantime.
I don't know, I'm kind of giving you the summary of the entire thing.
I don't know, how are we doing back there?
This is not quite the start that I was expecting.
Is anybody doing any cool projects in SDR at the moment?
Oh, I had a question there.
You mentioned the RTL2832?
Yes, I did.
I'd like to hear more.
Okay, well, let me grab one.
I carry one around with me.
Thank you.
All right then.
So, thanks for coming.
Just wanted to tell you a little bit about me.
I've always been obsessed with electronics,
and wireless.
I think this is in the kindergarten or first grade.
I don't know what the hell I was making,
but it contained part of an old tape deck coming out the side there.
It had a blinking light with a VU meter.
That was really cool for me.
Contraptions.
Now, obviously, I'm trying to actually build it.
This is on the top of a park back in Sydney with a friend of mine.
We put together a very long wire antenna there
because we were trying to pick up the Cherry Ripe number station
that was supposedly broadcasting out of Guam.
That was run by MI6, I believe.
Unfortunately, we tried a couple of successive weekends
and then realised that actually the station had already been shut down.
It was still fun to get the images, I guess.
So, I'll rush through the overview then.
I'll do a little bit of basic RF 101,
my journey into software-defined radio to sort of shape the talk,
how I originally got into sort of decoding RF systems with hospital pages,
one of my favourites, tracking aeroplanes,
and then looking at how you can actually decode data
that you know nothing about, in this case, coming down from satellites.
A bit of direction finding and a little bit of fast track.
So, just to do a quick recap for those of you that aren't that experienced,
the idea behind radio is that you have a carrier wave.
This is of a particular single frequency.
And if you were to view it like this on a graph with time going from left to right,
you would see yourself.
This is your sine wave and the amplitude, obviously, on the y-axis.
And the idea is that you have your information,
whether it be voice, for example, or digital bits.
Can you hear me OK, by the way? Is this a good distance?
It goes into a modulator and then you mix,
which is that sort of circle with the x,
you mix that with the carrier, which puts it up to the frequency that you want to transmit at.
So, if you want to transmit FM radio, then you would dial that in on your radio.
At the radio station, put in your music
and then out comes the music on that radio.
At a particular frequency.
So, the most simplest kind of modulation is called on-off keying,
which is literally where you turn on and off the carrier wave.
And the simplest example of this is Moore's code.
Anyone good with the Moore's code?
Can you tell me what that means?
Defcon, correct.
And then it goes all the way up to the more complex stuff,
which is pretty much used in all the modern digital modulations.
So, OFDM, and it's used in a whole host of ones that we use pretty much every year.
So, if we look at AM and FM in the time domain,
you have your carrier up at the very top,
you have your signal just below it,
and then depending on what modulation you use,
you either get an amplitude modulator wave,
and you can see how the carrier's amplitude is now sort of matched
with that of the signal,
or with the frequency modulator version,
the carrier maintains the same amplitude,
but the instantaneous frequency changes with the change in the signal.
So, that's kind of how it works.
It's sort of a basic difference in some simple modulation schemes.
So, here's an example of Spectrum.
This is a recording that I made
of an automated broadcast from an airport
regarding the state of the runways.
I don't have any audio.
Can I have the laptop audio back?
Oh, is it?
Thank you.
So, this is actually amplitude modulated.
You have a carrier in the middle,
and then either side you have identical sidebands
that contain this voice information.
So, the modulation will define what it will look like
on that sort of spectrum.
So, we were looking at AM signal,
so that's symmetric about the carrier there.
FM, you have the notion of a carrier,
but actually, because it's being frequently used,
the frequency modulated,
and the frequency is moving around all the time
based upon the signal,
it looks a little bit different.
And finally, you have a digital modulation scheme,
C4FM.
Yeah.
But, of course, that's not legal.
I'll come back to more of that kind of thing later.
Does anybody know about Project P25?
I was about to say Pentium 25.
P25, yeah.
So, it's a digital voice standard
that's used by first responders all around the world,
both in America and in Australia
and in various other places.
It's maximum.
And so, because it's digital modulation,
this one actually is sort of an FM variant,
but it contains four states.
And because data is moving through very quickly,
you get this sort of different look to it on the spectrum.
So, what I'm trying to emphasise to you is that
originally there's sort of hardware,
and there's simple hardware like crystal sets that were used,
and it was made up of very simple components.
The point was that they're all sort of fixed,
they're a fixed personality.
Nowadays, they're more complicated,
but our phones have microchips in them,
and these other equipment also are fixed personalities.
So, it's like a black box in the limitation.
You can't get in there.
You can't change it.
It's not reconfigurable.
Here we have an example of a satellite modem
that's used to actually send data up into a satellite.
Now, keep that picture in mind,
because I'll come back to that.
So, the journey begins.
I had this set up on my balcony back in Sydney,
and I heard this mysterious signal,
which will not play now,
but I'll do it manually.
Does anybody recognise what that is?
At the time, I wasn't exactly sure what it was,
and I had actually tried to demod it
with free software out there that's available,
but none of it worked.
So, that's...
Oh, there we go.
And this was my set up at the time
I had inherited these radios from my grandfather,
a scanner and other receivers,
and I interfaced it with that little board there
to my 286,
and had a network card running Minix,
and that would stream audio downstairs,
and I could control the radios remotely.
So, this was my sort of simple set up to do that.
So, I figured, well, I'll try looking at the signal,
and once again, here we have a signal in the time domain,
and then if you look at it in the frequency domain,
you can see these two distinct levels coming out.
And this introduces the idea,
just like in data transfer,
that you have the preamble and you have the payload.
So, you can see the preamble is very important
because it establishes, for bursty data,
the transmission so that the receiver can lock onto it.
So, there's like that repeating pattern of ones and zeros.
And then you have the payload after that.
Because it's two-level FSK,
you can simply draw a line through the middle and slice.
So, anything above it will be one, anything below will be zero.
And so, that's what I started doing there.
That's a visualisation of that particular data stream.
So, you've got ones and zeros.
Great, now what?
Well, the idea is to turn it into information.
This took on and off five years
for me to actually figure out.
And in the process,
I actually ended up writing this little bit of software
that would take in this raw data
and you could play around with different ways of
line encoding and so forth.
And I'd look at it every so often and come back to it.
And then it just happened that I was reading Wikipedia
and there was an article in there
that mentioned these specific sync words.
And I thought, well, hang on, I've seen them before.
And I just happened to have the offset correct in this window
and you can see that they match up.
And so, it turned out to be POCSAG.
But it was weird because the software that I had tried previously
hadn't been able to decode it.
So, I guess this was an example of security through obscurity
because they changed their implementation slightly.
But it turned out to be the pages
for the hospital network back in Sydney.
And so, we confirmed this.
I have a friend that works in the hospitals there
and he called his friend and said,
can you send a page out?
And you can see what that test page is there.
The only one that's legible.
But bringing it up on this map that I created,
it was actually part of the hospital as you can see
and we identified the frequency.
So, once you actually have a look at where that site
radio-wise is linked to,
you can see that it's connected to all of the other
sort of hospitals in the area.
So, I let my decoder run for a little while.
And...
Excuse me.
And, you know, it turned out to be some
seriously sensitive information.
And then finally...
So, that was for one of their secure systems, I believe.
But anyway...
A side note, I'll just show you that map.
This is sort of more of an indirect call to the FCC
to be more open about all the data they supposedly
don't update on their websites.
But the Australian government has been very, very good
and strict about maintaining all of this data in one place.
So, my mash-up also has these map overlays.
And this is a visualisation of every single registered
radio transmitter in Australia
and all of the links between them.
So, you can see where their population concentrations
obviously are because that's where all the radio sites are.
And also, I derive sort of radiation information.
So, these are mobile cell towers in my neighbourhood.
And if you look at various cell towers there,
you have these sort of very sharp lines coming out.
And they're actually the microwave point-to-point links
between the towers.
And the OMNIs are just sort of the panels.
The government's database that I sort of imported
contains information about the antennas
and the orientation power and so forth.
So, it's quite rough.
But, you know, it still looks pretty, I guess.
And somebody posted it to Reddit at one stage.
And it was very interesting to track what sites were popular.
I'm not sure whether you can read that.
But one is...
Basically, they're all the Echelon sites in Australia.
So, there's an earth station at Geraldton and Kojarina, I think.
And as you can see, they're all covered with the radomes.
But these are pretty popular.
That's Pine Gap.
And there's a bit of joint US-Australian action
going on there, I think.
And the very first day that I launched the site,
I had visits from the US Department of Justice.
Federal Parliament.
And my state's Attorney General's Department.
I have no idea how they happened upon it so quickly.
I don't know.
The other thing was I think people trying to get in
and hack the site and scrape everything up.
It was mostly coming from a couple of IP addresses in Bolivia.
So, I just banned the entire country.
So, that was sort of my journey to decoding things.
But let's move on to aviation now.
I have...
In the past, I generally liked to take a GPS receiver with me
and sticky-tack it to the window.
And then when the...
What's the politically correct way of saying now?
Stewardess or flight attendant...
I'm old-fashioned.
...comes up and says,
Is that off?
And I nod and say,
Of course it's off.
Naturally, it's just got the display off.
But it's kind of cool because as you take off into the air,
you get some pretty interesting stats about how fast you're going
and how high you actually are.
I don't know, maybe it's just me geeking out,
but I like the numbers.
And then once you get back home,
you can plug it into GPS Visualiser and then into Google Earth
and you get a pretty colour-coded trail of where you've actually been.
This was last year when I was going to Houston.
And this was just screenshots from a GPS receiver.
But if you're in the aeroplane and you're enjoying your ride,
how do the skies remain safe from collisions?
How do the planes get around?
I'd like to tell you a little bit about primary radar and secondary radar.
So you've probably seen these big rotating radars at airports.
And it's part of the ATC radar beacon system.
So the primary is the big one down the bottom there,
and the secondary is the one at the top.
So the primary is the traditional radar
where it sends out an enormously powerful pulse
and then listens for returns off metallic objects
because, of course, planes are just flying tin cans.
And the range, though, is limited by the radar.
So you have fourth order loss.
What's interesting, though, is that with the secondary system,
the top is actually directional radio.
And so that will actually broadcast and ping the transponders,
which are active on the aeroplanes,
which then reply back themselves.
So that requires an active system, whereas the primary does not.
And because it's an active system and the transponder replies,
you only have second order loss there.
So you can get out further.
But this is quite crucial
because if you're sitting in front of an old-fashioned radar scope
and you have the big line going around,
you wouldn't be able to ID individual planes.
But with the secondary system augmenting that,
you would actually have those anonymous blips now
coded with the squawk code that would have been assigned
when they would have taken to the skies in the first place.
So how does the transponder system actually work?
This is a basic transponder here.
And there are different modes.
A will simply reply with a squawk code.
So when you take off,
ATC will give you a squawk code like that one.
And then every time your transponder is interrogated,
it will send back some pulses that ID that particular code.
There's another one which is C.
And that will reply with the code and the current altitude,
which obviously gives air traffic control more information about the airspace.
And then the cool one is Mode S.
Who's heard about Mode S and ADS-B and things like this?
All right.
So Mode S is another system that runs on top of this.
And there's another cool thing that runs on top of that,
which is ADS-B,
which stands for Automatic Dependent Surveillance Broadcast,
which means the planes don't need to be interrogated.
They will just continually broadcast this information out.
And also part of that system is ACAS and TCAS,
which are for collision avoidance.
But the interesting thing is that ANC
are part of the secondary surveillance system.
And Mode S is not technically part of it,
but it shares the same frequency,
which obviously would reduce cost.
But now the problem is that there are so many planes in the sky
that the channel is becoming increasingly congested.
I think Frankfurt has this problem the most,
due just simply to the amount of planes in the sky there.
So how does ADS-B...
What does ADS-B send out, rather?
It's constantly sending out a plane's position, heading, altitude,
vertical rate, flight ID, squawk code.
So quite a lot of things, plus more, but they're the main ones.
So if ATC has its antennas on the ground,
then there can be transactions between ATC and the plane
purely through this system.
So ATC might send out a broadcast, which is called the all call,
and then all the planes will reply with the downlink frame
that identify the craft by its ID,
much like...
a MAC address.
Each airframe address is assigned to a single aeroplane.
And then there's also ACAS and TCAS,
where the planes will actually communicate with one another.
One might send an altitude request to one, and then it'll respond,
and this can be used to augment collision avoidance.
Obviously, if they're travelling a little bit too close,
then in one cockpit you might hear the automated voice say traffic,
and then if they get really close,
then there might be a pull-up in the other one
if they want to do an avoidance manoeuvre.
This is technically called a resolution advisory.
But there have been terrible incidents in the past
where pilots have not followed the RAs,
and actually the planes have collided.
The one I've told in the past is the tragic one,
I think, over Germany.
There was a Russian flight with a lot of schoolchildren,
and they collided, and they all died,
and then one of the fathers actually went and killed the controller.
So you've got to pay attention to the resolution advisories.
I'd like to put big props out to Brad and Nick.
They presented last year
on looking into the vulnerabilities of NextGen,
which is the FAA's title for their next generation system
that it employs all this sort of stuff.
I don't know whether Brad's actually here,
but if you're here, it'd be great to catch up.
The interesting thing is,
this is a typical 747.
This is according to a ham friend that actually is a 747 pilot.
It has 31 radios.
So lots of different things there.
And of course, that makes me pretty happy.
When I was flying over here,
I took a photo of another Virgin aircraft,
just like the one I was on.
And you can see that across the top of the aircraft there,
there are a number of sort of bumps coming out.
Don't quote me on these ones,
but I sort of mapped it from a 747.
I think it's roughly right.
But you've got a TCAS antenna, the transponder.
You've got high-gain satellite communications on the top.
You've got low-gain VHF.
In the tail, you've actually got an HF antenna as well.
And on the bottom, you've got various VHF things.
And then you can't see them,
but there's the radar altimeter and the marker
and direction-finding measurement equipment too.
Now, with Mode S,
how is that actually encoded in the air?
I showed you before what a POXAG signal might look like,
which is frequency shift keying.
But this is actually something called pulse position modulation,
which is technically AM,
but they send out pulses at very precise times.
And when those pulses exist in a certain manner,
then it might mean a 1 or a 0.
So with Mode S, there's a particular preamble sequence,
and the pulses have to be in exactly those positions,
and that indicates that it is in fact a MODIS packet.
And then that's also used to distinguish it from Mode A and Mode C.
And then the actual payload then is determined
by the positioning of what's called chips.
So this is Manchester encoded,
but you have an early chip and a late chip.
And you can see that one will relate to being a 1
and the other one will relate to being a 0.
And then the entire payload can be 56 or 112 bits long.
So with pulse position modulation at those sorts of rates,
a pulse lasts an incredibly short amount of time.
Now, what this means is that you have to sample
at a very minimum of 2 megahertz,
and that's assuming that you're going to set it
asynchronous throughout the entire payload.
And, you know, it requires a bit of computing grunt
to actually deal with that kind of data rate.
And ideally, you want to sample faster
so that you can correct for any timing errors.
So you wouldn't be able to do this with your plain old radio.
And so this is where software-defined radio comes in,
and this is where I kind of got into it,
and this is my sort of first play around with SDR
because it's the perfect platform for this.
So the idea is that SDR moves
what was previously fixed in hardware,
that sort of not...
the unconfigurable hardware into the software domain.
So remember we had that simple crystal radio set.
The expression of the AMD modulation
in code, or maths in this case,
is simply the magnitude of a complex vector.
It's incredibly elegant and simple.
FM is a little bit more complicated,
but similarly as elegant.
So the idea is that it's completely reconfigurable now.
So on the receive side,
instead of having everything done in hardware,
all you do is you pick the carrier frequency
you want to listen to,
mix it with your incoming signal,
and then all the rest you end up doing in software.
So the purpose of the SDR
is simply to turn those analogue values into digital
and then supply the computer with a digital stream
that you can process.
So the continuous is then turned into discrete and quantised.
Again, you have your wave that should look familiar.
You've got your analogue to digital converter
to take it from the continuous into your number stream,
and the digital to analogue converter going back the other way
if you're going to transmit a signal.
Naturally, you're going to transmit legally
because you have a licence to transmit in that band.
But this is what I started playing with first.
This is the USRP1.
It is one of the first, if not the first, low-cost SDR.
You hook it up via USB.
Depending on what daughterboard you've got,
you had a pretty amazing range to play with
and the bandwidth was pretty incredible as well.
This is the Funcube dongle.
It came out a little while later.
The range was pretty good, but unfortunately
the actual bandwidth that you could sample
was very narrow because, cleverly,
they put an audio card in there
so the left channel would be the I channel
and the right channel would be the Q channel
and you wouldn't need to install any drivers
because it would just appear as an audio card.
But, of course, if you tried to listen to it,
you wouldn't hear anything.
You needed to have the software running on top of that
to demodulate whatever you wanted to listen to.
And then, of course, there's the Realtek one.
I don't know if anybody has used the...
Has anybody used it under Windows with HTSDR
or WinRAT or the like?
Yeah, a couple of people.
I guess most people have used it under Linux.
But, you know, for the price,
it's pretty cool.
I don't know if you're looking at the history,
but one of the modes under which it operates
is that it can demodulate normal analogue FM.
And a guy called Andy Palosari
happened to figure out that it's actually streaming
8-bit samples to the computer
and the whole community sort of swarmed
and figured out how to make that
available to the mainstream.
Now, this thing here,
this is not an official announcement,
so I haven't put any text up.
But I'm pretty excited about this.
This is going to be, very soon,
Edis Research's new USB 3.0 radio.
It has quite a frequency range,
50 MHz at 6 GHz,
56 MHz instantaneous bandwidth,
bus-powered 2x2 MIMO.
It's pretty sweet,
and I've been having adventures with it
around the Bay Area
that I'll tell you about in a little bit.
But the point is you can hook all of these things together
and bring this up to your computer
and run GNU Radio.
And it has a very nice GUI front end
where you can describe your flow graph
that will do some demodulation or modulation
in this sort of graphical environment.
So this one here is actually
a very simple demodulator for AM.
You can see there that the USRP
starts with the left-hand side.
You have an FFT,
so you can actually see graphically
what your signal looks like.
You have an AM demodulator,
and then it goes out to your sound card.
So it's a pretty simple thing.
And here, if you run a waterfall over 8 MHz,
this is actually part of the 2G GSM band,
and you can see the broadcast control channels
as well as some bursty traffic channels there.
And then this is a pretty cool example
of what you can do with this.
This is actually 56 MHz.
So what you're looking at in the middle there
are two Wi-Fi channels plus extra space on the side.
So you could simultaneously decode
two Wi-Fi channels, for example.
Over the years, I guess,
components have become faster and smaller,
so it's pretty incredible how far technology has come
in, I guess, quite a short period of time
to enable you to sort of suck up that amount of bandwidth.
This is another example, another program.
Sorry, let me go back a little bit.
There we go.
So I was talking about Pages back in Sydney.
This is an example of Pages in the States.
It uses Flex.
Who's heard about Flex protocol?
This is the Flex version of the Pages system,
and this is running a program I love called Boardline.
It does FFTs very, very quickly,
and you can zoom right in there.
And so I don't know if you can see,
but the line where the cursor is,
that's actually a single frequency
that Pager transmissions are sent on,
and I was able to zoom right in.
And you know how before we saw the two levels
of the Pager one I showed you back in Sydney,
this one actually has four levels,
but you can zoom right down,
and if you don't know the properties of a signal,
you can use this kind of analysis to figure out,
at the very basic level,
what kind of modulation they're using.
So this is actually four-level FSK.
And then I'm sure you're all aware of smart meters
and how they have a mesh network,
often in the 900 MHz ISM band.
You can see there how quickly
and how short the bursts are coming from the meters,
but you can use Boardline
then to once again zoom in on that,
and you mightn't be able to originally tell what they are
because the bursts are so short,
but if you zoom in,
you can see that there's probably
some sort of phase shift keyed one there,
the sort of blurrier one,
the wider one in the middle,
and on the left and on the right of that,
there are the narrow ones.
And although they're quite weak,
and they only appear for a very short period of time,
you can still have a look and identify
that they're two-level frequency shift keyed
transmissions as well.
Now let's say you wanted to discover patterns
or repeating periodic components
to a signal that otherwise just look like noise,
like, for example, anything CDMA.
So the examples here are that
we would be listening to the GPS constellation
or CDMA from the mobile phone network, for example.
And there's a sync called the fast autocorrelation sync,
and what it does is it does some trickery
with some FFTs to very quickly determine
whether they're sort of repeating underlying
component within a signal.
So with CDMA you have a whole bunch of signals
that share the same frequency space
but divided by what code they use.
And so here, I don't know whether you can see,
but there's a very distinct line
that appears on the 10 millisecond grid line.
So it's mostly black,
but there's the green line that appears up there.
And that's characteristic of the 10 millisecond
repeating common pilot channel information in CDMA.
So you could get a signal that you didn't know about,
put it in here, see the peak, and think,
oh, it must be CDMA.
And this is really interesting, too,
because if you listen to the GPS constellation,
if you look at the FFT, it's all just noise.
There's no apparent signal like we saw before
with the pages, for instance,
because the signal is coming from the constellation,
which is very, very far away.
The signal that arrives at our receiver is very weak.
However, there's CDMA in there,
and there's a repeating pattern in there as well.
And amazingly, doing this little bit of math,
it's able to draw out the one millisecond
repeating cyclic code in the GPS signal.
So some pretty powerful tools
that you can just download and start using for free.
Tetra is another sort of land mobile radio digital standard,
and it has this characteristic repeating pattern
at about 14 milliseconds on an idle channel.
So the cool thing is that you can take a USRF out and about.
I've put this in this old used Bosch case
with some electric drill I had, I think,
because I didn't get mine in the case.
These are my amateur radio friends back in Sydney.
Again, we set up a long wire and tried to listen to the world.
The amazing thing here is that with SDR,
you can pretty much capture the entire amateur radio band,
which is what you're looking at there.
That's 25 megahertz, so it's not quite,
but if you wanted to use this or something,
you could capture it and more.
You can zoom right down there and demodulate hams
or weather fax transmissions
or clandestine military transmissions.
Codes and so on.
These are just a bunch of hams chatting in their allocated channel.
You can have digital modes like RIDI and Morse code
and Hellschreiber and all sorts of interesting things.
And if you don't like that, then you can...
Video is supposed to start playing there.
Okay.
You can just demodulate your local stereo FM station.
But the cool thing is this is Sutro TAP,
which is now in San Francisco.
The cool thing is that often modern radio stations
also have data transmitted as a subcarrier.
And RDS is one of the more popular ones.
You can see there that's the baseband spectrum that you get.
You have the decoder running in the background
that's printing out all of the RDS information,
including traffic, the state of traffic on the highways there,
which is something that I'm very interested in.
And then there you can see actually the demodulated FM.
So on the very left-hand side, you have the mono audio.
So they're backward compatible with non-stereo receivers.
You have the pilot tone, which is 19 kilohertz.
And then you have the left minus right,
which is the stereo difference channel,
so that your receiver can then recreate
the left and right channels independently.
You can listen to stereo audio.
And then further along, the last kind of peak there,
is the RDS subcarrier, which encodes this information.
Now, one thing that really peeves me
is that the location codes for the traffic information
are not public in this country.
Various European countries have made them public.
But it's just a 16-bit code
that identifies some segment of the highway.
And of course, if you buy a car
with an inbuilt navigation system,
that comes with it.
But I don't know if you have any tips on that.
I've been looking into one way
of finding out this information.
If you have any ideas,
then please come and find me afterward.
But if you want to do the reverse,
if you want to make your own FM radio station
and transmit stereo audio
and transmit your own RDS information,
there's a GNU Radio Flowgraph that does it.
And I had my little iPod Nano
with the FM radio in it that decodes RDS.
And I was just transmitting it there.
And just above the frequency display,
it's printing out some string
that was pre-programmed in the RDS XML definition.
So you can do that too.
And I think there were, I can't remember who,
I'm sorry to say, but there was somebody
that tested RDS injection
and they had a navigation display in a car
and it was saying there was a terrorist threat
and there were frogs falling from the sky
or something weird.
But if you like just scanning around,
if you had a normal scanner,
you can do that too with GNU Radio.
I have a list of frequencies down the bottom there.
It just steps through each one.
There's a squelch block that monitors the channel
and as soon as it goes quiet,
it goes to the next channel.
But the beauty about software-defined radio
is that you don't only have to look
at a single channel at a time.
Here, this is a flowgraph that I put together
with this multi-channel decoder block
where you give it a list of frequencies
and it will spin up that many decoders.
So if you look closely,
every time there's a vertical line,
it indicates that one of the channels has become active.
But of course you only have one sound card to listen to it.
So the green one becomes the active one
and the black one is simultaneously active.
So this was just voice,
but you might be listening to data transmissions
and want to be able to decode them all at the same time.
Or if you're listening to some trunked channel,
you can record all of them.
SDL is also really cool because
there's a free open source project
to set up your very own 2G GSM base station.
I would have done that now.
I've done it once before during the talk
where I set it up using this.
And I have my little phone here
and then people can sort of text me,
but I thought it might be a bit distracting.
Plus, late last night I was trying to find a free channel
and the spectrum here is so unbelievably crowded
that I just gave up.
But it's kind of cool.
Because it comes with a soft switch.
So, for example, I've set this up
where I log on with my mobile phone
and then I can dial the outside world
and I allocated a number with our actual main office switch
and then I was able to receive calls
when I dial that extension
and it all just goes through
using SIP over the network.
So it's kind of cool
and it had a very big
sort of popular debut at Burning Man
and you can see that there was a bit of computation
to be done so they put the laptop on an ice pack.
Another cool thing you can do actually now
there's GNU Radio Blocks
for decoding edit to 11a
or rather the OFDM
version of WiFi.
So I put this AP up
unsecured at 5 gig.
This is a little flow graph there.
You set the gain and the frequency
and then I made it so that it would pipe the data
through to Wireshark and you can see there
the beacon frames coming from the AP.
So this is just as if you had a dedicated
wireless card running in monitor mode
except that it's just being done
in SDR and in that
picture in picture there
another laptop is connecting to the network
and you'll see the association frame coming through
and then data frames
coming through there. You can see the coloured ones.
And then
actually last week
a colleague of mine thought
he'd bring in his fancy antenna
and we would try and receive pictures
which are sent down from weather satellites
so they orbit the earth, take photos and then send them down
and you have to track them manually
because they're low earth orbit
3200, this guy's just hanging
there by the USB cable
and then you get these sort of pictures
and you see that interference there because
of course you're doing the tracking manually
and you can't see it so we were just kind of
guesstimating where it would be and I guess
we missed a spot.
It's kind of cool because
this is actually the west coast up here
of the United States
and some big cloud formations. These pictures
are taken with different sensors and you can
combine them into sort of these false colour
images to get an idea of what's happening
and this is like I think sea temperature
and there's another thermal one
and they're happening all the time. You can just get a program
to tell you when the next pass will be
and decode that.
Another one
if you're looking for positional stuff
on the water, most large
or medium sized marine vessels now
contain their own version of transponders
so I went over to
the bay in San Francisco
and so that boat there just came around
and you can see the kind of trail there
and there are those other three boats with that very large cargo
ship and they're all
plotting
sending out their information
and I guess the thing to bear in mind during all of this is
this is all unencrypted.
The thing about RF is that
it's a shared channel. It's like a human resource
anybody can do anything with it.
It's only
our legal system with jurisdiction
that dictates apparently
how it's supposed to transmit
or not within
those frequencies so
security is obviously a very very big
point that hasn't been addressed
in a lot of these systems
so it's been used in radio astronomy
passive radar tracking people
with their mobile phones through shopping malls and so on
but let's come back to aviation
remember we were talking about that radar
there's a radar turning right there
this is the radar at Moffat Air Force Base
in the bay area
you can see that every time it points towards the camera
where I have the radio there's a massive spike
because of course the radio is
directly in line with the big pulse that's coming out
what's also kind of cool is that on the left hand side
you can see the
various other small spikes coming out
they're actually reflections off large buildings
so the radar signals hitting
those buildings and then hitting back
into the radio
so
and the other thing is that I couldn't figure out
why I was seeing two peaks here
this is showing the time
in between the initial bang that's sent out
the initial pulse that's sent out by the radar
and this is called the pulse repetition frequency
and I couldn't figure out why there were two
usually there's only one
before I had an SDR that went up this high
I actually, who knows the ubiquity
SR4C
802.11a
wifi cards
I sort of mucked around
with the drivers a little bit
it's got in the chipset a radar detection capability
so I was using that to
try and characterise the weather radar
nearby
but I only saw a single peak
but here there were two and I did a little bit of research
and actually these radars apart from monitoring aircraft
can also be made to monitor
weather and in this dual PRF
mode there were some papers written
about how they can be used to sort of monitor
reflectivity and
moisture in the air that was kind of cool
so this is on the waterfall display
anyway what transponder
MODIS transponders look like
coming from aircraft we've sort of come full circle
now if you look at it
after demodulating
in AM then
you can see we have the preamble out the front
and then the payload after that
and what does that actually look like
all those little dots
represent a frame and if you were to run
it real time you would see something like that
and the amplitudes are obviously different all the time
because you're receiving it from planes that are all sorts of
distances away from your receiver
so once you've done all that decoding
what's next
well this is a little project I've been working on
now and then
who's seen sneakers
yeah
thought so
this is one of my favourite bits in the film
I'm not going to do an American accent but
you can see the diagnostics
what's in the little black book
and you can see there on the screen
is actually a very sort of simple picture
of the bay area with air traffic control
and planes
and I kind of put together my own system
that does it
that's San Francisco airport right there
and I just left it running
and these are the planes that fly in and out of the area
San Francisco
San Jose and Oakland
and so they leave nice trails behind
and it's kind of cool then because you can see
what the flight paths are
now this is what I call the rainbow effect
this is actually a bad transponder on an aircraft
that's reporting false position information
and you get nice sort of floral pictures
like that floral motif
but you know you can see how
SFO is actually right in the centre there
and the colour code
indicates altitude
so the yellow is just before it's about to land
this is the airport there
with the various runways
obviously we all know there was a bit of an accident
down there recently
but I
sort of went up the top of a car park nearby
this is one runway
and I had the B200 there receiving
and I happened to catch these two planes
coming in with parallel approach
you can see that one just touched down
as it turned from green to red
and that one's about to turn red as well
once the wheels hit the tarmac
and then they will scoot across the screen
as they taxi back to the terminal
so landings are cool
takeoffs are kind of cool too
especially
if you're just sitting there
you can see all the planes
at the holding point
waiting to sort of take off
I think this is a Virgin flight
there it goes
and it's again kind of neat
remember I had the GPS here
we're watching the velocities increase
and eventually when the wheel
nose wheel lifts up
turns green and
off it goes into the sky
but wouldn't it be
cool if you could do it in 3D as well
so that's the same plane now streaming
in Google Earth through the internet
you can see planes there in the background
landing at
what's that, Oakland
so that's Bay Area
there
and wouldn't it also be cool
if you could actually
have a virtual cockpit mode
so that you could be in the seat of the pilot
and imagine what it would be like
taking off into the sky
so this is actually running permanently
on my website for Sydney Australia
and I've just set this up recently
for the Bay Area as well
so
if you'd like to sort of help out with this project
I'd love to hear from you
this was actually when I had
one of these tucked away in the seat
in front of me without an antenna
and I was receiving the transponder from
like probably 10 metres below my butt
and this is a bit of a
hard landing but it's kind of cool
because as you taxi in you can see what looks to be
the burnt out fuselages of planes
I don't know what Google Earth tried to do there
you know how it does the
terrain exaggeration, they must have some sort of
automatic mechanism to determine
terrain elevation data
but it's kind of a bit weird when you fly
through planes like that
and then so if you do it in
Google Earth then you get the same sort of effect
here the trails don't persist
so it doesn't get as
crowded but
you can kind of get a sense when there's a lot of traffic
and you can see when
see how it didn't come in on the direct path there
around the ocean it kind of does loops
see there was that loop there
that's when ATC is backed up a little bit
and I'm guessing they're asking the planes to sort of hold
for a single loop just to give them a little bit of
breathing room before they vector them in
so what's this one
oh yeah this is when the police came out
hello
how are you?
good thanks and you?
are you really watching airplanes?
I am really watching airplanes
that's pretty cool
do you have ID ID?
is it for like school or something?
it wasn't quite for school
but I have to say she was
very very nice about it
and that's not the first time that I've
I've had
encounters with the cops but usually they're pretty good
so the software
runs in a couple of different stages
this is the desktop application
that sort of does the tracking
you've got the decoder that supplies the raw frames
and then you take those frames and actually do the tracking
this is the main runway in Sydney
you can see the trails the planes have left behind
when I initially got into this
I have to thank my very dear friend
back in Australia Matt Robert
he's worked on OP25
but we went up
I initially was using his USRP1 remotely
and then we would go up to the park and
test it out there because the airport would just be
within visible distance
there in the lights
we went up a couple more times progressively taking more equipment
we were quite excited this time because
that grey plane there isn't actually a plane
it's a vehicle equipped with a transponder
you can see it's on the perimeter road
and now recently Sydney airport has equipped
every single one of its cars with transponders
so if you look you can see these little vehicles
moving around and I actually need to change
the icon now to something more like a car
but we were very happy
that
that evening we had quite a bit of equipment up there as well
but you see
interesting things like that was the queen
when she came to visit
the call sign is REGL1
and then you see
some weird things like
I was in San Francisco
and I saw that
I don't know what that was about
so this is when I
without permission moved all of my equipment
to the roof of the apartment block
and I had
everything stuffed in this sort of box
which had gigabit ethernet and power
running down the side of the building
which I had sprayed the same colour as the building
just to make it invisible
and the software because you're using SDR
this is the cool thing because you can get
at the very lowest level of the signal
you can extract information about the distribution
of the strengths of the packets
coming in and build up these sort of graphs
to tell you how well your decoder is doing
this is a graph of
signal strength versus distance
and you can see the way that it drops off
this is altitude versus distance
and when it goes to the airport
they all sort of come to a single point at the bottom left
but you can see the standard flight altitudes
out to the right that the planes will eventually ascend to
and this is a weird one
this is strength versus altitude
and once again you can see the standard flight paths
coming out on the right hand side there
but on the other axis
this one is Sydney
now Australia actually has a
greater rollout of ADSB
in addition to listening to those messages
you see how those balloons are popping up
these are ACARS messages
this is a system that is like text messaging for aircraft
there's another rainbow effect
but the text messages can be between
the cockpit, air traffic control
engines might send vibration reports
back to Rolls Royce
I saw once that there had been a rowdy passenger
on the plane and they had asked for the federal police
to come to the next airport to escort the person off the plane
all sorts of messages
most of it's clear text
and this is
again
pardon
generally no
this is
once again looking down
at Sydney airport
and you can see when a message is actually sent
it deposits a little
sort of marker behind
and most messages actually occur
at the airport
it's just the way the diagnostic systems work
so I've mentioned all that already
but
I listened to the two primary frequencies
back home and I'm setting that up here as well
but this is how the message is printed out
so the frequency, the content
the flight ID, registration and so on
what does it actually sound like
that's an ACARS message there
and once again
the cool thing with SDR is that this is actually
decoding all the three main channels here
in the bay area simultaneously
so whenever it receives one you can see that it will
just scroll along the side there
and that can be fed into the main system to
put spatially on the map
where the aircraft was when it transmitted that information
so it's also a very interesting sort of
diagnostic tool for airline operations
I guess, or if you just like to be a plane
spotter
so you can see a whole bunch of
engineering messages which have the H1 label
were delivered as it was sort of
coming in to land or pass through the airport
again
this is sort of sped up
you saw a big blue dot there and I'll explain that
but you can see all of the dots
appearing as they take off
which is when the plane sends out a whole lot
of information
as it ascends into the sky
so here are some examples
this is kind of a running joke
I see, probably
just because I'm hyper sensitive
to it now, well I see
ACARS messages regarding blocked toilets
on aircraft
so here we have one toilet that's inoperative
and I'm guessing lav hard means
the lavatory has failed
with a hard failure mode
so the galley's flooded in lav hard
and because I see them all the time I thought
well I'll make an Easter egg in Google Earth
and unfortunately
I think the waypoint that's been highlighted
there is prawn
the other thing is that
they actually send out flight paths
over ACARS using waypoints
and I have a database of the waypoints
so it actually will draw then the flight paths
that the planes will
should fly through
I'm only receiving the small portion but
you would expect the plane to fly through to Asia
and to Perth on the side of Australia
and also sometimes you see nice things where
why are these planes appearing Google Earth
as models, maybe Qantas is paying Google
I don't know, but it appears
right on top of the cockpit which is kind of neat
and then
yeah we talked about the traffic
so you saw that I put all that stuff up
on the roof without asking
the strata sent
this message to everybody saying
that several trades people
had installed satellite dishes on the roof
so it was just me that installed my
home built VHF antenna
and MODIS
antenna which is basically the top of a tin can
or the tiny little thing sticking out
and they made a big fuss about it
but two nights before I left to move
for the states I said stuff them
I put everything in a box like this
this was the night before
I was supposed to get on the plane
installing it at a height
this is as I was taking off in the plane
I took a photo of where the actual site was
and this is with a little Realtek dongle
on the flight over here tracking my plane
obviously I wasn't getting to the internet
so I didn't have maps imagery but
it was kind of cool to pick up where the plane was
that's more recently in LA
you can get some good range
obviously when you're nice and high
and this is more recently when I'm setting up the new antennas
instead of doing only MODIS though
you can use HF
and we were able to receive
the HF
transmissions which work in a slightly different system
extending all the way
as you can see there into China
and India
so obviously with HF
you have far greater propagation
which is pretty incredible
so that's more or less
aviation
remember it's all unencrypted
so you can spoof
you can jam
you can do all that kind of stuff
and I'll talk a little bit more about that later
am I doing that?
I haven't
actually looked into that
the question was
there's another part of this called
TISB
which is traffic information
that's also broadcast over the same
sort of mechanism
and that's used to augment the information that
pilots can see
but it's sort of a next step
of the protocol and isn't really widespread
but various sites are sort of bringing it online
but no I haven't looked at that myself
I haven't done that
but that's actually good
for potentially doing multilateration
in the absence of
MODIS and ADSB
so
moving on to the next one this is blind-skill analysis
so this is where you have no idea what you're actually dealing with
so
I was looking at satellites
I happened to go over to a friend's place and hook my
USRP up to his set-top box
that was connected to a satellite
and there are two types of
mainly two sorts of things
to consider
you've got the purpose and the payload so
we saw the weather satellites, military satellites
amateur radio satellites
the low earth orbit ones, geostationary ones
and there are the intelligent ones
and the dumb ones
so the intelligent ones actually you communicate with them from the ground
and instruct them to do things
or there are the dumb ones that just relay information
and it's like a big RF megaphone
so you have a big dish that sends up your million
satellite TV channels
and then it broadcasts it back down from spot beams
to the ground so that everyone with their little
satellite
TV
can watch TV
without having to have cable running
now the Optus D1 satellite is just like that
it operates in these ranges
with this sort of bandwidth
it's mainly used for television
with some other interesting narrow band things
and I thought well let's have a look at what's going on there
these are the
publicly available frequencies
how the transponders are broken up
what the telemetry frequencies are
what the uplink power control frequencies are
and this is quite important
because uplink power control is a constant
power
signal that comes down
to inform the ground of how much power it should send back up
because depending upon the amount
of moisture in the atmosphere
sort of how much, you know,
cloud cover and so on
you have to change the amount of transmit power on the ground
so that the signal ends up hitting the satellite
and that has security implications too
so this is actually
some publicly available images
this is the earth station
where they send the signals up
if you look at it on the map it contains all the sort of TV
media agencies
if you look at the photo
that they took inside
with a bit of research recognised
remember that modem I showed you at the beginning
that rack is full of them
so you can look at the manual
they have some various other
sort of more or less well known
antenna satellite control systems
so what do you need to actually decode these sorts of signals
you need a satellite, you need a dish
you need a set top box
or some sort of down converter
and an SDR
if you're going to be looking at narrow band stuff
you have to get a down converter
that has very high stability
usually the ones for satellite TV are very cheap
because they can drift quite a bit
but that's ok because the satellite TV signals
are very broad band
it's not the case for the narrow band stuff
if you actually do a search for the satellite
it happens that the manufacturer
of the transponder
lists the satellites that the transponder is on board
and then you can look at what kind of modulation
will be used for the telemetry downlink
this is actually one of the telemetry signals
that's coming off that satellite
you have the telemetry sidebands
you've got one pulse per second tones
you've got constant subcarrier
and this is actually
zooming into those telemetry signals
you can demodulate that
with GNU radio
and then you can do some visualisations
I didn't look much further than this
but it's kind of cool when you create these raster plots
who can tell me what these sort of triangular shapes
indicate?
counters, exactly
so you can see that this evidence
is definitely something going on there
and that might be a starting point
but there are a lot of other narrow band streams
coming down from that satellite
so the idea is that you pick one, lock onto it
and try and decode it
the problem is that because you're going in blind
when you initially send out the signal
you have to specify all these parameters
so if you're multiplexing signals together
if you're scrambling them
if you're differentially encoding them
if you're doing error correction, modulation, so on
you don't have any idea
so then doing it in reverse
can make your head explode
if you know strong bet
so if you don't know
basically you try the most common ones
you try and automate it and try and script it
and the idea is that
you can sort of use some hints along the way
to determine how successful you're being
so most
satellite signals are phase shift keyed
which means that instead of changing the frequency
they change the phase
for each one and zero
that's sent through, each symbol technically
and so
you need to determine what kind of modulation
or what sort of order is being used
for the phase shift keying, the symbol rate
how quickly they're sending the data through
and you can do this quite easily
so I saw these transmissions
I thought okay we'll pick one of those
and then what you do is you can multiply
or rather raise the signal itself
to a power
so you just like square it
or put it to the fourth power
and as soon as you get these peaks on the FFT
it actually is indicative of the fact
that you've hit the right order of the modulation
before so we actually have
QPSK which means
that in each symbol that's transmitted through this
phase shift keyed stream
there are two binary bits
also we need to find out how quickly
they're being sent through and so you can do this
using some simple what's called cyclostationary
analysis where you multiply
the signal by a lagged version
of itself and that will reveal
any sort of periodic components
and here it turns out to be a good old 9600
board
also it's forward error corrected
and without figuring
out what the convolutional decoder
parameters are you're going to be left with noise
so the idea is that you go through all of them
and then until
you find that the error rate
from the actual Viterbi decoder
drops to zero so a Viterbi decoder
is designed to decode convolutional
codes but there's this metric
this sort of special count
that it keeps inside
and when you actually hit the right
parameters that will drop to zero
or very close to and that's the hint that you've
been able to identify the right parameters
so you can see there that drops to zero
which means that I've got the right
code rate
and so on. This is a flow graph that kind of
emulates that process
but going through the permutations
Guindy Radio is cool because it's open source
you can extend it any way you wish and instead of me
having to click on all of those buttons and try everything out
I made a little block that actually went through
them automatically and then it would go through
each permutation and then it would find that
it was locked and it would just lock onto that
and then I could proceed with the next day
so I've got now
ones and zeros again
looks like there's a lot of structure in there
not but
it looks like it's been probably scrambled
which is a common thing to do to sort of
whiten the data in case there's sort of
any repeating patterns you want to keep it as
pseudo random as you possibly can
to send over an RF link
but once you find a
Guindy scramble I just tried a couple of popular ones
turns out that it's still
not quite right because you have long runs
and ones and zeros so it's probably
differentially encoded so if you
differentially decode it it looks much better
you can see what appears to be repeating
patterns and headers and payloads
so now you've got that structure
you can go through
the individual bits and search for these repeating
patterns and I discovered sort of
this sequence would be repeating all the time so it's
probably going to be some sort of preamble
and then once I would look at
the preamble I was able to find
what looked like packets and it turned
out to be some ancient character
oriented packet
assembly so you have the synchronisation
bytes, start of header
start of text, end of text, CRC
at the end and then
a number of fixed length messages within
these packets coming down from this satellite
and each contains this ID
so then I wrote a parser for that
and it would parse them out and group them by ID
and then I discovered these sort of
patterns between each successive
transmission and what looked like a header
you would have varying numbers
encoded as 16 bit signed images
8 bit signed and BCD
and I thought hmm
what could that possibly be
well I have no idea but if you
graph them they look pretty
so I thought
they're probably some sort of
measurement maybe that's preceding
the time if you plot
you know the X and Y then they
might move around like this there might be
some sort of telemetry from various
sensors placed around the country that are all being
uplinked from remote locations to be
collected at one central spot
I really am sad that I wasn't able to record
more data because I only recorded 2 minutes worth
but if you would record it for say a week
or a month you could then graph this
and see how it would change with the time of day
so if it's related to human activity or some sort of
natural phenomenon
so more data
is always the key
this is a sort of
TDMA downlink so I think people with remote
satellite terminals are using this sort of shared
part of the satellite spectrum there
this was another one that I just could not figure out
it looked like there was something that
was there you can see that hump there
there might be a signal modulated in there
I was scratching my head I was running all of these sorts
of tricks nothing came
out of it and in the end I
found some satellite
frequency allocation for a US
satellite and it turns out they actually
put white noise channels through
the satellites to do
presumably some sort of RF measurement
and testing so there's actually nothing encoded
there it's just purely white noise
so
something to bear in
mind
well if it was one
time then it would be digital so there would
still be some sort of digital artifact there
but this was well and
truly
well as far as I can tell anyway white
on back
coming down to earth again terrestrial
signals in HF STANAG is in military mode
and it's well documented
you can run a
similar sort of analysis that runs at 2400
board you can see that peak coming out there which is
indicative of the board rate again
if you run the fast sort of correlation
then it matches exactly with the spec
in terms of detecting the
frame lengths and so
this is a way once again if you have a blind signal and you
have a database of known parameters you can
sort of look at them and ID them
it's actually 8 PSK this time so
a change in the PSK phase
will encode 3 bits and
if you create the demod in Gnu
radio you can see the 8
sort of points coming out on the constellation
there that encode the data
DRM is a really cool digital
mode for HF that sends near
CD quality, I think it's near CD
audio over HF so
you can get incredible distances but then have
really nice digital audio
coming out the other side
and it's OFDM
like we mentioned before
this is some MATLAB code that I put together
from a paper and you can
obviously create some pretty
plots but looking at the peaks
will tell you information about
the OFDM
parameters so
there's some
good information about the
class B encoding DRM
because there are different classes A through E
that are used for different protection
classes depending on how far you want to send
the signal or how good you want the
quality of the audio to be
so once again it's a good way of
figuring things out
instead of MATLAB code though I realised it was
easy to create this simple flow graph in Gnu radio
where you run the autocorrelation
again of this OFDM signal
you see a peak coming out there you change the lag
amount, remember with cyclostation analysis there's a lag, you set that as a lag and then
you see these additional peaks coming out of the additional FFT and again that matches
up with those exact values that we got through the other way of doing it.
So that's sort of some simple techniques you can use with open source software to try and
figure out what a signal is.
Let's talk about fast track a little bit, I've showed you what it looks like, I've sort
of told you about all this already during our pre-introduction but the interesting point
here, the last one, is that these tags actually do not actively transmit back.
What happens is, the toll-reader will transmit an interrogation and then it will keep a carrier
away.
Basically an unmodulated carrier heating the fast track tag and then the micro controller
inside will actually change the load on the выполnings.
the internal antenna and what that means is that the internal antenna will kind of take
a little bit of that energy and then when it modulates a one, say, and then a zero,
it won't actually absorb that energy and it will be reflected back to the original tag
reader.
So it's kind of weird that you have the situation where you might have these sort of antennas
pointed down and these are both transmitting and receiving at the same frequency at the
same time.
I hadn't actually kind of played around with this before but it's pretty neat and it makes
some things easier because you're using the single signal, you don't have to worry about
kind of transmitting back, it takes more power from the last track tag because these just
contain long life lithium batteries and also then you don't have to worry about synchronisation
because you don't have two different clocks that are running in different clock domains.
So apart from actually having antennas at the toll reading booths, there are antennas
that sit on street lamps and signposts on the highway and apparently they're used for
511 traffic information and so I thought, well, I'll go along and see what I pick up.
So that's the antenna, the B200 there and I've got the spectrum coming out on the laptop
and that is actually the constant interrogation pulse coming from the system.
So I recorded that.
This is actually on the side of the Golden Gate Bridge at the toll booths.
I went there and I only realised after I'd actually parked in the authorities' reserved
parking spot but I was very quick.
And so I kind of nestled myself in this bus stop and was pointing the Yagi at the toll
tags just to see what I could find.
But this is the trick.
This is the really cool key that makes it all work.
How does it all happen?
It's this little device here that I managed to find on eBay and it's all about magnets.
So it's called a circulator and the idea is that you can send RF energy in one port,
it will circulate around to the next port and leave and not continue around to any subsequent
port.
So the transmit energy from the interrogation transmitter would go in one, go to two and
then go out in the antenna.
Anything coming back up the antenna.
I.e. anything reflected from, say, a toll tag, will come in two and then exit three
and go to the receive side of your radio.
Anything coming from the receive side doesn't matter because the receive side won't be transmitting.
But this is my little test set up there, you've got the circulator connected to the Yagi that's
being kindly supported by that stuffed monkey and the tag lent up against the cup.
So this is the signal that's being transmitted out.
This is the interrogation signal.
And then this is looking at what's coming back in from the antenna.
Now, circulators aren't perfect.
They won't be able to suppress all of the energy sent through so there will be inevitably
some that's passed on to another port if you don't have a matched antenna, for example.
But here on the very left‑hand side you can see there are those lines jumping up and
down.
This is the payload of the interrogation that's identifying with an ID who the interrogator
is.
And funnily enough, it uses exactly the same modulation.
It uses exactly the same modulation.
It's pulse position modulation.
And then after that you kind of have that slightly wavy line emanating out.
Just imagine that was flat.
This is the constant carrier that should be backscatter modulated by the tag.
And so what happens is when I hold the tag up, you can see now something has happened
there on that line.
If I flip between them, you can see that there is some additional activity.
Very weak, but there's definitely something there past that interrogation.
And then my toll tag has come up.
So that's the response.
If you use the good old wayback machine, you can find the Department of ‑‑ was it
transports spec on this and then you can implement it.
So this screen shows when the preamble is found in the response and there's this peak
from the tuned filter for that preamble.
And when it detects a peak in the filter, meaning that a backscatter modulated response
has been sent by a tag, it activates the decoder here.
And then once again remember we were talking about slicing the pager signal.
Once again, we're slicing the response.
So the top is one, zero is at the bottom.
And then we get binary out and we have a payload that we can then CRC check for validity.
And then again, completely unencrypted, you have the tag ID.
And the flow graph is relatively simple.
There's a transmit chain in there ‑‑ okay, well, I hid all of the really gruesome
stuff.
But, you know, I like big flow graphs.
You can do them hierarchically as well, there's a cool feature where you can kind of encapsulate
stuff.
And I get crap about it all the time that I should be using it, but I never do.
I just like having it all flat.
And if you want to look into it more, I highly recommend that Black Hat talk that was given.
I used quite a bit of that as sort of inspiration in reference by Nate Lawson of RootLabs.
Okay.
So let's cover direction finding quickly.
Okay.
So we have direction ‑‑ so up until now we've been talking about the contents of
signals, trying to figure out what's actually inside them.
This is more about where they're coming from, which can also be used as, you know, a bit
of a key as to what's going on, where somebody is.
It was originally used for radio navigation before radar.
It can be used for signals intelligence, emergency aid if you're trying to find somebody
lost somewhere with an emergency beacon, wildlife tracking, obviously, and reconnaissance.
And believe it or not, it is actually a sport, too.
So it was used in World War I and II.
The White Stations along the British coastline would try and find the U‑boats.
And that was quite a successful use of the technology, much more primitive than what
we can do now, but still pretty cool.
And apart from just sort of VHF and UHF signals that we would normally use, you can have some
incredibly large arrays like the one here in Germany.
You can see for size comparison, those are cars that are parked in the parking lot at
the bottom of the image.
So that is an absolutely huge inspiration.
And this is used to pinpoint transmissions from all over the globe that are transmitted
on HF or long wave.
Now in terms of the sport, you actually have amateurs going out with Yagis and they have
these little fox hunts where the transmitters are hidden in the forest or something and
they have to try and find it.
So it's a highly directional antenna so that you can pinpoint where the signal is coming
from.
And that's a crazy serious German ham.
.
.
So the first way that I initially played around with was called pseudo Doppler
direction finding.
And the idea is that you use the Doppler effect to cause a perturbation in the radio waves
and then exploit that to figure out where the signal is actually coming from.
So I'm sure we all know what the Doppler effect is.
As you move an object, it changes the waves.
But what you can do is you can actually have ‑‑ you can see more highly technical and refined
wave passing through the center of the circle.
The vertical line there on the circumference is actually the antenna.
So the idea would be that you rotate the antenna from point A around point B through to point
C through the wave, thereby compressing it in frequency.
And then as you come out the other way, through D back to A, it's moving the opposite direction
and so you expand the wave a little bit.
So you end up with this Doppler shift that you can see there in the bottom diagram and
that will change the frequency slightly of your signal.
Now, the cool thing about it is FM, frequency modulation, relies on this very effect.
It will change your carrier wave in frequency depending upon the signal.
So what you're doing is you're just adding an extra tone, adding an extra bit of modulation.
So this works really well with FM signals.
And it means that you can just use any old FM radio or SDR to do the determination of
the direction.
So the problem is that once you take everything into account ‑‑ here we have my graph.
My single gratuitous transition.
You would have to rotate that antenna at a ridiculously fast rate that would be physically
impossible.
So what do you do instead?
Well, you do it electronically.
You have a fixed array of antennas that don't move, but you actually switch in between them
electronically using antenna switch.
And what it means is that instead of having that continuous motion, you do those discrete
steps and end up with the same sort of response.
And you can full‑time ‑‑.
So this is kind of your classic homemade RDF.
It was a little box you would hook up to an existing FM receiver and the LEDs would then
indicate the direction that the transmission was coming from.
And this is sort of the internal component or system diagram.
The stuff in green is all clocked together, which means that it's all synchronous.
Remember, you're switching around the antenna, which will mean that a certain frequency is
introduced into this.
And you need to focus in on that one frequency to figure out the direction.
This is the circuit diagram, just for reference.
And then, you know, of course, you're going to look like maybe a little bit weird driving
around with all this stuff hanging out of your roof.
But hey, that's exactly what I did.
So I went color, I got an SDR, and I wrote a bit of mapping software and I got the dothmobile
happening.
So I made my home antenna array there.
So if we recall this little diagram ‑‑.
All that is done in software.
All that is what remains after doing all the rest in software.
So this is suction caps that you use to transport windows with.
I cut out the tin, soldered some sort of tuned elements on top, put it into this antenna
switch that I got as a free sample from an RF company.
And then modified the FPGA code that ran in the USRP1 so that the clock that was controlling
the actual SDR was also controlling the antenna switch.
And the beauty about that is that the frequency then that you get out that reaches the computer
is exactly synced to the rate at which the antennas are rotating.
So you can narrow in on one specific FFT bin that is guaranteed to be the signal of interest,
the Doppler tone that you can then determine the phase from to determine your direction.
So this is the receiver.
I had two laptops in the car, one doing the tracking, one doing the mapping.
Flow graph.
What else?
I won't go into the details there, but you've got the source coming in, you generate your
reference sine wave, and then the Doppler tone you also extract from your incoming RF.
And the trick is that you compare the phase between your reference sine wave and the sine
wave that comes in from the Doppler signal.
And the difference between those phases will actually give you the direction of your signal.
That's the trick.
So it's a phase comparison with a known reference wave.
So if you look at the FFT of your incoming signal.
You see how you have that peak there?
That's the Doppler tone.
And so what you do is you take a reference, which might be the blue one, I think, and
the green one is your Doppler tone that you've been able to filter out.
And then you determine the phase there, and that, excuse me, literally is your direction
of arrival of your signal.
So I thought, well, we've got to test it.
We'll pick an obvious source, like that big tower.
Look up a frequency that is at that tower.
Drive around.
X marks the spot for reference.
And then every time we drive around and stop, we take a measurement.
And then every time we drive around and stop, we take a measurement.
And then after a while, it kind of ends up sort of roughly matching up on the red.
The thing is you have to be really careful because RF is black magic through and through.
That area highlighted in green was actually when I was coming down from a hill into sort
of a lower portion before another hill.
And the RF waves would bounce off the back of the hill behind me and creep up sneakily
on my array on top of the car.
far. And so the direction that was reported by the system was actually behind me, because
that's where the main wave front was coming from. And as soon as I came over the next
hill, I ended up having the direction coming from directly in front of me, which was the
correct one, because there was no obstructions. So reflections are very important to deal
with and to filter out from your measurements. So I repeated it again, this time in Mountain
View. That's where work formerly was. And you might know of a big company that is based
in Mountain View. And they have cars with all sorts of stuff attached to their roof.
So I thought I would pay them a visit with a car with stuff attached to its roof.
So I went for a drive down Shoreline through Google trying to find pinpoint this particular
radio transmission. So that's the Doppler approach. It has some
drawbacks.
It's OK. But what you can do is you can actually use all the four antennas again, and then
instead of doing this kind of phase comparison, you can get nitty-gritty down dirty with some
serious math. And one of the popular algorithms is called multiple signal classification music.
And the idea is it models incoming waves of sinusoids, and then I won't go into mass
here, but you have an array response that you compute from your array manifold, which
models your antenna setup.
And then the peaks there will determine the direction of arrival. So you can imagine those
points there on the X axis are where the antennas are, and as your wavefront comes
in, they will all hit each antenna at a slightly different point in time. And then you can
determine that phase difference between each individual signal. You can derp the phase
difference. I didn't say derp. Maybe I've been talking too long. You can determine derp.
What? This is pretty good. You're welcome. So this is finding that array response. Here
I have ‑‑ I think I had just four antennas in a row. You tell the model that you have
four antennas in a row, you just express it as a matrix, and then what it does, it will
go through 360 degrees and simulate what the array response would be, and then when you
get the incoming signal, you run that through each particular degree, and then so that goes
from zero to 360 across the bottom, and then you have that peak that matches the exact
array response. The advantage is that you get much higher resolution, but you need as
many radios as antennas now, before we only needed one radio for four antennas. This is
a sort of higher end.
It's called a quad radio, but I had a little bit of fun with it. You know how you can get
those nerf style USB missile launches? So the idea here is that it acquires you and
then locks on. So if you look closely, when I move the radio around, it will track it.
Wait for it.
I said fire, but there was no audio. Maybe it was turned down. I said fire, and when
it detects that, it shoots you.
So I set it up there again. You know, this is not the cheapest SDR, but I just chucked
it in the boot with a big SLA battery to keep it powered while I was driving around. And
so here, just to do a calibration test, you can see that as I walk around the car, the
compass tracks my movement.
So if I go for a little drive here, then once again, I repeated that route through
Google's campus, but, you know, I picked some of the frequency, and I guess it's kind of
a good track of it except for there down below. But, you know, as I said, those errors creep
in because of reflections. If you're in an urban area with no line of sight to your transmitter,
then it will reflect off other buildings, just like the reflections from that primary
surveillance radar as well. And this is the Gunu radio block that you can download, and
if you have some sort of other setup, you might connect two of these together with a
single reference, you can create a similar sort of thing. All right. Please check the
list if you're going to be driving around like this. Make sure you have your rego paper, amateur
radio license helps. I had some antenna structural redundancy by having a string that I put through
each of the suction caps just in case one would fly off. I can't really drive more than
40 miles an hour because then I get some serious vibrations in the tin. It's kind of scary.
It's good to be clean shaven, I guess. And if you have any radios that are, in fact,
used by the police, like the Motorola XTS radios, it's always good to hide them, because
unfortunately,
some of them don't know that they can be used as legitimate ham radios. So they get
very suspicious when they see, you know, listening to the cops or what's going on. And then because
I had all these wires coming in, I couldn't actually open the door because it was coming
in through the window. So if you sort of turn around and try and disconnect all the
wires in the back, it looks a bit sus. Take it from me. All right. So more security stuff.
Do not try this.
Whatever you are. So with pages, if you don't like a doctor, I'll read the first bit and
then you can read the next bit. Is your arch nemesis in hospital?
Need to distract security? So these automated alerts were sent out. I can't quite remember
now, but it was something to do with rotation of guards or shift changes or something like
that.
So in mode S, do you want to reach cruising altitude?
As I said, all of these things are all unencrypted. It's illegal to transmit, but all the protocols
are there and you can implement it with these sorts of tools. Do you think the pilot made
the wrong choice in deciding to land? Do you want to display a message on everyone's
radar screen?
You know, there's ASCII art. If you send out enough transponders with different IDs,
then you could probably spell something.
So this is ACARS now, so this is the text messaging for the aircraft. Do you not want
to fly on a particular aircraft?
So these things are automatically sent by the avionics systems. They're incredibly,
you know, complex and thorough in their self checks and it's really interesting to see
the sort of reports that they send out.
Was the flight that you were on a little bumpy?
RR is Rolls Royce.
Do you want to message the cockpit privately?
So in the spec, if I recall correctly, there are four assigned labels that address the
four supposed cockpit printers. I doubt they print paper anymore, but I would be pretty
certain that the message might be displayed on one of the displays.
There we go.
So for satellites, as I was saying, there's that uplink power control that controls the
amount of power that is sent up by the ground station. So it's usually kept at a minimum
because it costs a lot of power to send up kilowatts. Usually if the sky is clear, you
can just send a few watts and it's much cheaper for the part of the transmitter. So it depends
on the weather as we established. Heavy rain, a few kilowatts costs more. I want to keep
the cost down. So what you can do is you can turn your signal a little bit higher than
theirs. And it actually says this in the satellite manual that damn it, I can't read
it. Sorry. A malfunctioning uplink power control system can interfere with other services and
even damage a satellite travelling wave tube amplifier. This is the fancy amplifier in
the RF megaphone that amplifies the weak signal from earth and sends it back down.
If you end up sending a higher power signal than what the amplifier can take, it will
basically bust and it's very unlikely they'll be able to go up and fix it. So you can put
‑‑ you know, it's possible, therefore, to wipe out one of the complete transponders
using that. But, you know, you need some pretty serious equipment to do that. So fast track,
you don't want to ever pay a toll again in your life. You know, this only goes over a
short distance, but if you potentially hooked up a 900 megahertz amplifier, you could go
over an overpass and then interrogate the amplifier. So that's the way it works. And
you can interrogate everyone in the past underneath you. Do you want traffic management
to think there's some sort of auto stampede happening on the highway? You can just stand
there and basically respond with everyone's tag. Do you want to keep tabs on someone?
Just set up your reader wherever you want and see if they drive past. So a bit of privacy
concerns there. That's the thing, right? You drive up the highway, it says in fine
print in the fast track thing that you can't drive up the highway. It says in fine print
that you will be read at other locations for other purposes like, you know, traffic
monitoring and so on. But I don't think anybody really knows that. And how long do I keep
the data for? What's the retention policy? With all that's been going on lately, does
it get aggregated into other databases? Probably. So don't forget that, you know, if you ever
get bored, say if you get bored at the baseball, there's always SDR to keep you company.
So, yeah, most important thing is be legal and be safe. Only transmit in the bands that
you can. You'll have mobile phones. You automatically get a license to transmit in the cell bands.
You can get an amateur radio license and transmit in the amateur bands and do experimental
stuff there. But elsewhere is not a good idea. So thank you very much.
And if you'd like to know any more information, I put a lot of RF stuff on my wiki, my main
websites and documents, my main projects. A lot of things like the direction finding
and additional blocks for GNU radio and stuff I keep on my GitHub. I'll be pushing
the fast track stuff. And if you want to e‑mail me personally or at my work address, then
they're my e‑mails and my Twitter handle.
Yeah, I sent a huge deck to DEF CON, so it should be on the CD. I have an older version
of these on my wiki. The deck that I showed you today has been significantly upgraded,
but in time I'll post those as well as the videos and things like that.
And yeah, if you have any questions, please come and find me and talk to me.
